Depending on the user, a cookie may time out the instant you login.
Current thoughts is to use a proper session system with a token used instead of a password.
= User Logs in
Auth them
Create token in $_SESSION (user_id|token|timestamp|admin)
Insert token into 'current_sessions' table, with timestamp
On a page load;
= Page start
Clear old tokens
Check $_SESSION for token
= Token found
--- Validate vs DB copy. (user_id, token, timestamp)
--- If it matches, allow them to assume their auth.
= Token not found, use cookie (if there)
---Existing system.
Update/insert token (refresh it's timestamp)
Clear existing token on logout.
Require admins to authenticate every session.
--- If you hit admin after being token authed, you will be prompted for your password
--- This will then set the admin flag to 1 in the db table
--- Any other admin uses for that session will go on happily
The use of session and tokens basically means we don't carry around a copy of their password. They auth once, then we use a random token from there on in. Call it a token or a one time password.
Depending on the user, a cookie may time out the instant you login.
Current thoughts is to use a proper session system with a token used instead of a password.
= User Logs in Auth them Create token in $_SESSION (user_id|token|timestamp|admin) Insert token into 'current_sessions' table, with timestamp
On a page load; = Page start Clear old tokens Check $_SESSION for token = Token found --- Validate vs DB copy. (user_id, token, timestamp) --- If it matches, allow them to assume their auth. = Token not found, use cookie (if there) ---Existing system. Update/insert token (refresh it's timestamp)
Clear existing token on logout.
Require admins to authenticate every session. --- If you hit admin after being token authed, you will be prompted for your password --- This will then set the
adminflag to 1 in the db table --- Any other admin uses for that session will go on happilyThe use of session and tokens basically means we don't carry around a copy of their password. They auth once, then we use a random token from there on in. Call it a token or a one time password.